Garrett Honeycutt
commit
c73f520432
22
README.md
22
README.md
@ -150,6 +150,28 @@ in ssh_config.
|
||||
|
||||
- *Default*: undef
|
||||
|
||||
ssh_hostbasedauthentication
|
||||
-------------------------
|
||||
String for HostbasedAuthentication option in ssh_config. Valid values are 'yes' and 'no'.
|
||||
|
||||
- *Default*: undef
|
||||
|
||||
|
||||
ssh_strict_host_key_checking
|
||||
-----------------------------
|
||||
*string* For StrictHostKeyChecking setting in ssh_config. Valid values are
|
||||
'yes', 'no' or 'ask'.
|
||||
|
||||
- *Default*: undef
|
||||
|
||||
ssh_enable_ssh_keysign
|
||||
-----------------------------
|
||||
*string* For EnableSSHKeysign setting in ssh_config. Valid values are
|
||||
'yes' and 'no' or to leave undef which will ensure the setting is not present
|
||||
in ssh_config.
|
||||
|
||||
- *Default*: undef
|
||||
|
||||
sshd_addressfamily
|
||||
----------------
|
||||
Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration.
|
||||
|
||||
@ -20,6 +20,8 @@ class ssh (
|
||||
$ssh_config_forward_agent = undef,
|
||||
$ssh_config_server_alive_interval = undef,
|
||||
$ssh_config_sendenv_xmodifiers = false,
|
||||
$ssh_hostbasedauthentication = undef,
|
||||
$ssh_strict_host_key_checking = undef,
|
||||
$ssh_config_ciphers = undef,
|
||||
$ssh_config_macs = undef,
|
||||
$ssh_config_use_roaming = 'USE_DEFAULTS',
|
||||
@ -45,6 +47,7 @@ class ssh (
|
||||
$sshd_config_banner = 'none',
|
||||
$sshd_config_ciphers = undef,
|
||||
$sshd_config_macs = undef,
|
||||
$ssh_enable_ssh_keysign = undef,
|
||||
$sshd_config_allowgroups = [],
|
||||
$sshd_config_allowusers = [],
|
||||
$sshd_config_denygroups = [],
|
||||
@ -488,6 +491,14 @@ class ssh (
|
||||
validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.")
|
||||
}
|
||||
|
||||
if $ssh_strict_host_key_checking != undef {
|
||||
validate_re($ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <${ssh_strict_host_key_checking}>.")
|
||||
}
|
||||
|
||||
if $ssh_enable_ssh_keysign != undef {
|
||||
validate_re($ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.")
|
||||
}
|
||||
|
||||
if $sshd_config_authkey_location != undef {
|
||||
validate_string($sshd_config_authkey_location)
|
||||
}
|
||||
@ -527,6 +538,9 @@ class ssh (
|
||||
if $sshd_config_strictmodes != undef {
|
||||
validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.")
|
||||
}
|
||||
if $ssh_hostbasedauthentication != undef {
|
||||
validate_re($ssh_hostbasedauthentication, '^(yes|no)$', "ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <${ssh_hostbasedauthentication}>.")
|
||||
}
|
||||
|
||||
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
|
||||
|
||||
|
||||
@ -74,6 +74,7 @@ describe 'ssh' do
|
||||
'Suse-10-x86_64' => {
|
||||
:architecture => 'x86_64',
|
||||
:osfamily => 'Suse',
|
||||
:operatingsystem => 'SLED',
|
||||
:operatingsystemrelease => '10.4',
|
||||
:ssh_version => 'OpenSSH_5.1p1',
|
||||
:ssh_version_numeric => '5.1',
|
||||
@ -100,6 +101,7 @@ describe 'ssh' do
|
||||
'Suse-11-x86_64' => {
|
||||
:architecture => 'x86_64',
|
||||
:osfamily => 'Suse',
|
||||
:operatingsystem => 'SLED',
|
||||
:operatingsystemrelease => '11.4',
|
||||
:ssh_version => 'OpenSSH_6.6.1p1',
|
||||
:ssh_version_numeric => '6.6',
|
||||
@ -126,6 +128,7 @@ describe 'ssh' do
|
||||
'Suse-12-x86_64' => {
|
||||
:architecture => 'x86_64',
|
||||
:osfamily => 'Suse',
|
||||
:operatingsystem => 'SLED',
|
||||
:operatingsystemrelease => '12.0',
|
||||
:ssh_version => 'OpenSSH_6.6.1p1',
|
||||
:ssh_version_numeric => '6.6',
|
||||
@ -316,6 +319,9 @@ describe 'ssh' do
|
||||
'hmac-sha1-etm@openssh.com',
|
||||
],
|
||||
:ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2',
|
||||
:ssh_hostbasedauthentication => 'yes',
|
||||
:ssh_strict_host_key_checking => 'ask',
|
||||
:ssh_enable_ssh_keysign => 'yes',
|
||||
}
|
||||
end
|
||||
|
||||
@ -345,6 +351,9 @@ describe 'ssh' do
|
||||
it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
|
||||
it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
|
||||
it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) }
|
||||
it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication yes$/) }
|
||||
it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking ask$/) }
|
||||
it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign yes$/) }
|
||||
end
|
||||
|
||||
context 'with params used in sshd_config set on valid osfamily' do
|
||||
@ -1465,6 +1474,7 @@ describe 'ssh' do
|
||||
default_facts.merge(
|
||||
{
|
||||
:osfamily => 'Suse',
|
||||
:operatingsystem => 'SLED',
|
||||
:fqdn => 'notinhiera.example.com',
|
||||
:lsbmajdistrelease => '11',
|
||||
:architecture => 'x86_64',
|
||||
@ -1736,6 +1746,111 @@ describe 'ssh' do
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with parameter ssh_hostbasedauthentication' do
|
||||
let :facts do
|
||||
default_facts.merge(
|
||||
{
|
||||
}
|
||||
)
|
||||
end
|
||||
|
||||
['yes','no'].each do |value|
|
||||
context "specified as valid #{value} (as #{value.class})" do
|
||||
let(:params) { { :ssh_hostbasedauthentication => value } }
|
||||
|
||||
it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication #{value}$/) }
|
||||
end
|
||||
end
|
||||
|
||||
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
|
||||
context "specified as invalid value #{value} (as #{value.class})" do
|
||||
let(:params) { { :ssh_hostbasedauthentication => value } }
|
||||
|
||||
if value.is_a?(Array)
|
||||
value = value.join
|
||||
elsif value.is_a?(Hash)
|
||||
value = '{ha => sh}'
|
||||
end
|
||||
|
||||
it 'should fail' do
|
||||
expect {
|
||||
should contain_class('ssh')
|
||||
}.to raise_error(Puppet::Error,/ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with parameter ssh_strict_host_key_checking' do
|
||||
let :facts do
|
||||
default_facts.merge(
|
||||
{
|
||||
}
|
||||
)
|
||||
end
|
||||
|
||||
['yes','no', 'ask'].each do |value|
|
||||
context "specified as valid #{value} (as #{value.class})" do
|
||||
let(:params) { { :ssh_strict_host_key_checking => value } }
|
||||
|
||||
it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking #{value}$/) }
|
||||
end
|
||||
end
|
||||
|
||||
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
|
||||
context "specified as invalid value #{value} (as #{value.class})" do
|
||||
let(:params) { { :ssh_strict_host_key_checking => value } }
|
||||
|
||||
if value.is_a?(Array)
|
||||
value = value.join
|
||||
elsif value.is_a?(Hash)
|
||||
value = '{ha => sh}'
|
||||
end
|
||||
|
||||
it 'should fail' do
|
||||
expect {
|
||||
should contain_class('ssh')
|
||||
}.to raise_error(Puppet::Error,/ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <#{Regexp.escape(value.to_s)}>\./)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with parameter ssh_enable_ssh_keysign' do
|
||||
let :facts do
|
||||
default_facts.merge(
|
||||
{
|
||||
}
|
||||
)
|
||||
end
|
||||
|
||||
['yes','no'].each do |value|
|
||||
context "specified as valid #{value} (as #{value.class})" do
|
||||
let(:params) { { :ssh_enable_ssh_keysign => value } }
|
||||
|
||||
it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign #{value}$/) }
|
||||
end
|
||||
end
|
||||
|
||||
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
|
||||
context "specified as invalid value #{value} (as #{value.class})" do
|
||||
let(:params) { { :ssh_enable_ssh_keysign => value } }
|
||||
|
||||
if value.is_a?(Array)
|
||||
value = value.join
|
||||
elsif value.is_a?(Hash)
|
||||
value = '{ha => sh}'
|
||||
end
|
||||
|
||||
it 'should fail' do
|
||||
expect {
|
||||
should contain_class('ssh')
|
||||
}.to raise_error(Puppet::Error,/ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with parameter sshd_gssapiauthentication' do
|
||||
let :facts do
|
||||
default_facts.merge(
|
||||
|
||||
@ -28,11 +28,17 @@
|
||||
PasswordAuthentication yes
|
||||
PubkeyAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
<% if @ssh_hostbasedauthentication -%>
|
||||
HostbasedAuthentication <%= @ssh_hostbasedauthentication %>
|
||||
<% end -%>
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
# ConnectTimeout 0
|
||||
# StrictHostKeyChecking ask
|
||||
<% if @ssh_strict_host_key_checking -%>
|
||||
StrictHostKeyChecking <%= @ssh_strict_host_key_checking %>
|
||||
<% end -%>
|
||||
# IdentityFile ~/.ssh/identity
|
||||
IdentityFile ~/.ssh/id_rsa
|
||||
IdentityFile ~/.ssh/id_dsa
|
||||
@ -90,3 +96,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
|
||||
<% if @ssh_config_macs -%>
|
||||
MACs <%= @ssh_config_macs.join(',') %>
|
||||
<% end -%>
|
||||
<% if not @ssh_enable_ssh_keysign.nil? -%>
|
||||
# EnableSSHKeysign no
|
||||
EnableSSHKeysign <%= @ssh_enable_ssh_keysign %>
|
||||
<% end -%>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user